Healthcare organizations need to carefully scrutinize the security of electronic health record and other applications they use because encryption and other features often have shortcomings, says Chris Wysopal, CISO at the security firm Veracode.
While some EHR systems claim to encrypt data at rest or in transit to prevent breaches of PHI, many such systems have "broken" encryption, Wysopal contends in an interview with Information Security Media Group.
Some 80 percent of the encryption in all applications that Veracode tests "is not working the way it's supposed to," he says. That's because the encryption is using "an old, outdated algorithm, which is known to be weak, or the people who designed the software didn't do the proper checks to make sure they're handling error conditions properly," he says. And those issues potentially allow attackers to "manipulate the encryption system and bypass it."
That's why it's essential to test EHR software to determine if encryption functions are properly implemented, he says.
Healthcare organizations also need to hold application vendors accountable by making sure liability clauses are included in contracts, he suggests, "so if something is broken with the software that causes a data breach, the vendor is liable for being the root cause of the problem."
Whether using purchased or self-developed apps, organizations also need to take precautions with the use of open-source components that may not meet security expectations, he adds. Such security shortcomings have led to some large healthcare breaches, including the hacker attack on Community Health Systems that exposed information on 4.5 million individuals. That incident apparently involved the Heartbleed vulnerability in an open source software component.
In the interview (see audio link below photo), Wysopal also discusses:
- Steps to ensure mobile app security that go beyond using a mobile device management system;
- Software security challenges involving medical devices;
- Findings from a recent survey focusing on Web and mobile application security.
In addition to his role as CISO at Veracode, Wysopal is also the company's co-founder and chief technology officer. Previously, Wysopal was vice president of research and development at security consultancy @stake, which was acquired by Symantec. In the 1990s, Wysopal was a vulnerability researcher at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. Wysopal also has testified before Congress on government security and how vulnerabilities are discovered in software.